The Free Software Foundation takes aim at Gmail

(PhysOrg.com) -- The Free Software Foundation is at it again, promoting their laudable, if potentially unrealistic, goal to have all software released under a free software license. Their latest target for information freebies is Gmail. For those of you not familiar with this service, Gmail is the free web mail that is provided by Google.

Why does the Free Software Foundation take issue with Gmail? One word: JavaScript. This isn't the organizations first exploration into the world of JavaScript. They commonly post tutorial and articles that explain how to use popular websites without having to run JavaScript, which often runs within your browser. Currently if you disable JavaScript you cannot use Gmail. The Free Software Foundation refers to this at the JavaScript Trap, since users may or may not be aware that the JavaScript is being run by the browser.

This is not a Google specific issue, it is the general stance of the Free Software Foundation that some of the most popular sites on the web, such as Gmail, Twitter and Facebook, rely on JavaScript more than they need to. They also believe that when JavaScript is used, the company providing the product should release it as free software. They also take the position, that when JavaScript is used to provide an optional enhancement to a website, the company should also release a version of a site that does not use JavaScript.

Pardon my editorializing at this point, while free software licenses are a good thing, and this reporter enjoys the wide world of Open Source, the idea that companies owe these modifications is a little presumptive. There has to be some consideration, not for the companies, but for their users. The public release of the code for these websites and creation of HTML-only versions of these sites could lead to serious security issues. Not everyone is ethical, and once data is released for the public it is impossible to control how it will be used. I for one, would be more than a little angry if my personal data got out, because of your pressure to release everything into the open.

The bottom line is this. If JavaScript bothers you that much, then don't use these sites. No one is forcing you Tweet. Gmail isn't the only game in town. Many people live full and rich lives without a Facebook account.

(PhysOrg.com) -- In the latest version of Firefox's free, open-source Web browser, you will notice some visual changes like tabs on top similar to Google Chrome and single button menu similar to Office 2007. ...

(PhysOrg.com) -- Internet search engine giant Google has released a new beta version of its Chrome browser, and it is visibly much faster than the previous version, and faster than most other browsers.

Recommended for you

Microsoft has opened up the (literal) windows, called in creatives, and has been engineering a next-generation browser. Project Spartan is to reflect the general mood of fresh air at Redmond. Although "Project ...

South Korea's top mobile messenger operator launched a new web-based cab-hailing service Tuesday to compete with California-based Uber, whose service has been subjected to crackdowns from state regulators.

User comments : 35

that's a pretty naive viewpoint; for exactly the reasons you mention, "security by obscurity" has been repeatedly shown to be a far worse strategy than open transparency where everyone who cares about the security can see for themselves if it truly is secure. One need only follow the security alert services to see how often exploits are reported AFTER being exploited in the hidden codebase vs how very very often exploits are reported BEFORE they are exploited in the opensource codebase.

The issue of whether or not to use GMail is also a bit of a naive approach, but perhaps your employer is more flexible than most. Mine regularly releases important documents only as Google Docs, and many orgs now depend on the Google Apps for Your Domain service; if someone sets themselves up to be core infrastructure, it just seems to me they have a social responsibility to be responsible about it, and that means being transparent about it. Most don't, probably the vast majority, but still ...

If a patent clerk can reject an energy machine or the use of catalysts in said machine based on the claim that, "Anyone skilled in the art would think to do so...," then patenting software should be impossible based on the fact that, "eventually, anyone skilled in the art would come up with the same optimized code."

Patenting software is basically as absurd as patenting the quadratic formula or Pythagorean Theorem

[g]The Free Software Foundation is at it again, promoting their laudable, if potentially unrealistic, goal to have all software released under a free software license.[/g]

Dear Katie Gatto, If you are planning on being a journalist, you should drop out now and go work at McDonalds. Either that, or work for Fox News.

I don't know how much MORE biased you could have written this. If you're NOT a lawyer then you should not be so smug as to the assumption of legal contracts that are accepted by the use of a licensed piece of software - REGARDLESS of the license.

My company spents millions of dollars of software and lots of time (and the use of special software) to manage and track software licenses. You better believe its big time and a serious situation. It will be worked out based on contract law - NOT your "childish feelings" of what should and should not be free.

Patenting software is basically as absurd as patenting the quadratic formula or Pythagorean Theorem

Depends on what kind of software. Frequently, patents cover not so much software per se, but a particular algorithm, UI paradigm, or architectural principle. For instance, there are numerous ways to compress a movie. If I invent a new way that's more efficient by some metric, I should be able to patent the algorithm if I so choose.

Keep in mind that patents have a limited shelf life (e.g. in US, they expire after 20 years), so if I somehow manage to discover the absolute best most efficient possible algorithm, it will still be free to use by anyone within just a couple of decades.

Providing a no-JS version seems like a worthy goal, asking them to release their code as open-source not so much, but then it's the FSF's right to ask Google if they want to (Google doesn't need to comply).

I'm also not a fan of opinions on news articles, or I'd be reading a blog. However, there was some separation between the "news" part and the "opinion" part. If the opinion was in a box or linked to, as opposed to being part of the main news body, I think it would be ok. As long as it's clearly labeled.

About software patents: patenting new algorithms has been done for decades; patenting the exact sequence of holes in a punch card to do it (source-code) seems highly suspicious.

patenting the exact sequence of holes in a punch card to do it (source-code) seems highly suspicious.

Nobody does that, AFAIK. It would defeat the whole point of the patent, as it would be relatively trivial to alter the sequence of holes (source code) to do the same thing but in a slightly different way, thereby escaping patent restrictions and evading licensing fee demands. When people file for patents, they always try to make their claims as broad as possible, to prevent competitors from playing fast and loose in precisely such ways.

"Katie Gatto is an experienced technology blogger, and technophile, who uses both the Mac and Windows systems to manage her online life. She has a M.S. in Information Systems and a B.A. in English.

She has written for several technology sites and writes for a wide range of technology users. From showing Mac users helpful freeware on MacApper, to helping people be more productive through web-ware on AppMag, talking about open source technology on the Alternate Systems blog, she has covered all of the major operating systems."

JS is always available as source code to any web user (right-click page, view source). Maybe they're wanting the legal /right/ to reuse it in -addition- to having access to the source too?

I use JS on pretty much 100% of the web apps I write... You pretty much have to. It's usually pretty simple stuff like setting the focus to an edit field, responding to a button click to display an alert box before posting back, etc... sometimes some calculations and rendering new UI controls, client side, or calling a web service. If anyone wants to snip my JavaScript code, there's nothing stopping them. There's never anything worthy of licensing out, nor even reusing, for that matter... It's little snippets that are super-specific to that page to provide a wee bit of UI enhancement on the client side.

No way am I wasting time to write TWO of everything!

Things worthy of reuse are full js libs and Google DOES give away (some?) their js libs.

I have to say that anyone referencing Stallman loses lots of credibility. FOSS has been here a while, I'll admit, but the fact that we have had proprietary software on our personal computers since the 80s (earlier for some) proves that the world hasn't exploded due to proprietary software. As someone else said, if you want a FOSS interface to GMail use IMAP and the client of your choice. Oddly enough it also means you don't see all those pesky ads which support the service you aren't paying for at all.

Katie, previous commenters were right when they said that it isn't for security by obscurity, since you can see any javascript you want. It is just the fact that Stallman is a "purist" and he should keep using lynx which wouldn't let him get onto GMail or Facebook.

it isn't for security by obscurity, since you can see any javascript you want

Not quite. One of Stallman's main problems with gmail is that apparently Google obfuscates its javascript (removing whitespace and reducing function/variable names to single-letters, and so on) to the point that reading it (much less comprehending it) becomes a reverse-engineering challenge. This may not be intentional obfuscation to prevent other parties from using the code, so much as an optimization tactic designed to reduce bandwidth demands for page loads. Still, the effect is the same.

Stallman's other big problem with Javascript in general is that Javascript embedded into apps like gmail can't be customized by any third party (including the user); FOSS principles aspire to give any user the flexibility to modify any software or app they're using (or in fact, explicitly reject any software that isn't FOSS.) Javascript has a way of "sneaking in" under the radar along with the HTML content.

i might be wrong but being as JavaScript is run in your browser cant you just do a View Source and read it?

Yes. But I think part of what they're objecting to is the /optimized/ javascript that's trimmed down to reduce download time, makes it unreadable. But, most, if not all, of Google's js libraries are publicly available in their un-optimized (debug) form.

obfuscates its javascript (removing whitespace and reducing function/variable names to single-letters, and so on) to the point that reading it (much less comprehending it) becomes a reverse-engineering challenge.

That is a joke of an excuse. People writing in c have obfuscated their code by using cute tricks for years making it impossible to read it and I've seen quite a bit of that released as FOSS. If limited white space and single-letter variable names is what he is whining about, then don't let him near any of the ancient legacy F77 or F66 code that somehow still gets used in physics and engineering. He will have to cry himself to sleep after seeing that.

i might be wrong but being as JavaScript is run in your browser cant you just do a View Source and read it?

Yes. But I think part of what they're objecting to is the /optimized/ javascript that's trimmed down to reduce download time, makes it unreadable. But, most, if not all, of Google's js libraries are publicly available in their un-optimized (debug/human readable) form.

If limited white space and single-letter variable names is what he is whining about, then don't let him near any of the ancient legacy F77 or F66 code that somehow still gets used in physics and engineering.

Although Fortran code certainly has its drawbacks, readability is no problem - if you are a real programmer. But aligning F66 with F77 in the same statement is a sure sign you are no real programmer.

And IF you wonder why "somehow" fortran "still" gets used THEN begin to wonder why "somewhere" they are "still" using supercomputers instead of Windows-decorated PCs.

[g]Dear Katie Gatto, If you are planning on being a journalist, you should drop out now and go work at McDonalds. Either that, or work for Fox News.

I don't know how much MORE biased you could have written this. If you're NOT a lawyer then you should not be so smug as to the assumption of legal contracts that are accepted by the use of a licensed piece of software - REGARDLESS of the license.[/g]

Really?! Is that necessary? It's one thing to disagree with someone's opinion, but to demonize them for sharing that opinion is uncalled for. If you can't provide a reasoned response for why thier position is incorrect, please don't respond...

@nada,Really?! Is that necessary? It's one thing to disagree with someone's opinion, but to demonize them for sharing that opinion is uncalled for. If you can't provide a reasoned response for why thier position is incorrect, please don't respond...

I don't provide reasoned response to an article that is so clearly yellow journalism.

I also would flame Glenn Beck - as oppose to wasting my time trying to "reason" with him.

Because most people who look at the code are amateurs who couldn't find a hole from their own behinds. In the worst case, nobody is being paid to do a proper audit, so most of the more obscure problems are never discovered.

Meanwhile, all criminals can look at the code, and they don't have to tell anybody about what they find. They have much more motivation to gain expertise and find the security problems than the unpaid amateur coder that puts his trust on the software because "someone's probably looked at it".

In fact, a rational person would estimate that since the source is available to all, there will be both good and bad people who know about the security holes, and the bad guys aren't telling, so there will be exploits in the software known only to the criminals and thus Open Source won't be secure.

As a sometime application and web-application developer (and now Manager) it seems to me that there are some merits to both sides of this argument.

On the one hand, it can be difficult to make money from totally free software, depending on what the software does and how it does it, and as a general rule I've found that even software developers and their families like to eat.

On the other hand, there appear to be some serious flaws with Stallman's approach and suggestions to the use of JavaScript (or, if you read the linked article on "The JavaScript Trap", other languages that work similarly). The suggestion that, "...a JavaScript program [be considered] nontrivial if it makes an AJAX request, and ... if it defines methods and either loads an external script or is loaded as one" looks fraught with problems.

To start with, even Stallman's suggestion that the source be provided through an '// @source:' link in a header would invoke this rule. (The link downloads an external script.)

Much more serious though, IMHO is the suggestion that a browser be able to run some modified version (up to a complete replacement set of scripts) of the downloaded JavaScript programming. This seems to offer an open invitation to anybody to hack the code for malicious intent at the server (and if you've never had to deal with a JS-invoked SQL injection attack, go find out about it; and that's an almost trivial attack vector).

Yes, good server-side coding will stop most attacks but it's difficult to be able to guarantee to stop every possible thing. Can any coder claim to know all possible hack modes? Including those yet to be invented?

It's easy enough for anyone to provide a link to a source code copy of any JavaScript code already, without the need to invent yet another "tag" (the @source: idea). In fact, since Stallman is so hot on openness, free-ness and Standards, why not suggest this as part of the RDF Standard? Or as a Meta tag? (Oh, wait! You can already do that...)

A major criticism seems to be that browsers "silently load and run..." such programs. Well, quite frankly most users wouldn't want to "ok" every script to run but it's already possible to set the browser to do so if you want (and personally, my FF4 browser includes the "NoScript" add-on which prevents scripts from running silently - including itself at installation - and asks what I want to do with them). So what's the big deal?

And as many others here have noted, the JS is easy enough to grab (view source). Even if it's obfuscated by the minimisation process, this won't stop savvy-enough users looking at it.

A criticism of this is that the compacted code (and hence obfuscated through removal of whitespace, reduction of variables to single characters, etc) is not the source code. Well, that too is arguable IMHO. What constitutes source code? Stallman doesn't say but he does argue it's the preferred code to modify (this seems tautological to me).

The source code in this downloaded-app context is what gets compiled, whether it's obfuscated/compacted code or not is irrelevant. (Not considering the vexed issue of pcode or bytecode-style downloads.)

What he's arguing is (human) readability. That's not germane to his argument - free software doesn't imply that it also must be human-readable. (Open source does imply this but open source isn't his argument in that article - it is clearly & specifically about free vs not-free and humanly-readable.)

I'm not against either free or open source software - I use and like a lot of it. But this is a bad and unnecessary idea he's promoting.

Security by trust in the proprietary source vendor is a sword with how many edges?

Because most people who look at the code are amateurs

That's irrelevant as long as some knowledgeable person looks at it.

In the worst case, nobody is being paid to do a proper audit, so most of the more obscure problems are never discovered.

This worst case doesn't seem to happen in real life as there are always very ambitious unpaid people to detect and remedy zero day exploits. Pragmatism rules, not theory.

In fact, a rational person would estimate that since the source is available to all, there will be both good and bad people who know about the security holes, and the bad guys aren't telling, so there will be exploits in the software known only to the criminals and thus Open Source won't be secure.

A rational person knows that one good guy is enough to tell the truth for all to know.

Please sign in to add a comment.
Registration is free, and takes less than a minute.
Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.